Skip to content

Commit

Permalink
breaking: Use workload identity for AKS (#134)
Browse files Browse the repository at this point in the history 
* different pod identity file

* added workload identity

* added workload identity

* added workload identity using module

* pre-commit fixs

* workload identity module fixed

* pre-commit fixs
  • Loading branch information
@diegolagospagopa
diegolagospagopa authored Aug 22, 2024
1 parent 7a73c8c commit 57953d7
Show file tree
Hide file tree
Showing 7 changed files with 106 additions and 63 deletions.
56 changes: 28 additions & 28 deletions src/domains/testit-app/.terraform.lock.hcl
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

16 changes: 0 additions & 16 deletions src/domains/testit-app/02_namespace_domain.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,22 +4,6 @@ resource "kubernetes_namespace" "domain_namespace" {
}
}

module "domain_pod_identity" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity?ref=v8.17.1"

resource_group_name = local.aks_resource_group_name
location = var.location
tenant_id = data.azurerm_subscription.current.tenant_id
cluster_name = local.aks_name

identity_name = "${var.domain}-pod-identity"
namespace = kubernetes_namespace.domain_namespace.metadata[0].name
key_vault_id = data.azurerm_key_vault.kv_domain.id

secret_permissions = ["Get"]
certificate_permissions = ["Get"]
}

resource "helm_release" "reloader" {
name = "reloader"
repository = "https://stakater.github.io/stakater-charts"
Expand Down
15 changes: 15 additions & 0 deletions src/domains/testit-app/05_pod_identity.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
module "domain_pod_identity" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity?ref=v8.17.1"

resource_group_name = local.aks_resource_group_name
location = var.location
tenant_id = data.azurerm_subscription.current.tenant_id
cluster_name = local.aks_name

identity_name = "${var.domain}-pod-identity"
namespace = kubernetes_namespace.domain_namespace.metadata[0].name
key_vault_id = data.azurerm_key_vault.kv_domain.id

secret_permissions = ["Get"]
certificate_permissions = ["Get"]
}
14 changes: 14 additions & 0 deletions src/domains/testit-app/05_workload_identity.tf
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
module "workload_identity" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity?ref=v8.39.0"

workload_name_prefix = var.domain
workload_identity_resource_group_name = data.azurerm_kubernetes_cluster.aks.resource_group_name
aks_name = data.azurerm_kubernetes_cluster.aks.name
aks_resource_group_name = data.azurerm_kubernetes_cluster.aks.resource_group_name
namespace = var.domain

key_vault_id = data.azurerm_key_vault.kv_domain.id
key_vault_certificate_permissions = ["Get"]
key_vault_key_permissions = ["Get"]
key_vault_secret_permissions = ["Get"]
}
55 changes: 42 additions & 13 deletions src/domains/testit-app/80_middleware_tools.tf
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,27 @@
# module "tls_checker" {
# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//tls_checker?ref=v8.18.0"
#
# https_endpoint = local.domain_aks_hostname
# alert_name = local.domain_aks_hostname
# alert_enabled = true
# helm_chart_present = true
# namespace = kubernetes_namespace.domain_namespace.metadata[0].name
# location_string = var.location
# kv_secret_name_for_application_insights_connection_string = "dvopla-d-itn-appinsights-connection-string"
# keyvault_name = data.azurerm_key_vault.kv_domain.name
# keyvault_tenant_id = data.azurerm_client_config.current.tenant_id
# application_insights_resource_group = data.azurerm_resource_group.monitor_rg.name
# application_insights_id = data.azurerm_application_insights.application_insights.id
# application_insights_action_group_ids = [data.azurerm_monitor_action_group.slack.id, data.azurerm_monitor_action_group.email.id]
# }

module "tls_checker" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//tls_checker?ref=v8.18.0"
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//tls_checker?ref=v8.38.0"

https_endpoint = local.domain_aks_hostname
alert_name = local.domain_aks_hostname
alert_enabled = true
helm_chart_present = true
# helm_chart_version = var.tls_cert_check_helm.chart_version
# helm_chart_image_name = var.tls_cert_check_helm.image_name
# helm_chart_image_tag = var.tls_cert_check_helm.image_tag
https_endpoint = local.domain_aks_hostname
alert_name = local.domain_aks_hostname
alert_enabled = true
helm_chart_present = true
namespace = kubernetes_namespace.domain_namespace.metadata[0].name
location_string = var.location
kv_secret_name_for_application_insights_connection_string = "dvopla-d-itn-appinsights-connection-string"
Expand All @@ -16,12 +30,27 @@ module "tls_checker" {
application_insights_resource_group = data.azurerm_resource_group.monitor_rg.name
application_insights_id = data.azurerm_application_insights.application_insights.id
application_insights_action_group_ids = [data.azurerm_monitor_action_group.slack.id, data.azurerm_monitor_action_group.email.id]

workload_identity_enabled = true
workload_identity_service_account_name = module.workload_identity.workload_identity_service_account_name
workload_identity_client_id = module.workload_identity.workload_identity_client_id
}

# module "cert_mounter" {
# source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter?ref=v8.17.1"
# namespace = var.domain
# certificate_name = replace(local.domain_aks_hostname, ".", "-")
# kv_name = data.azurerm_key_vault.kv_domain.name
# tenant_id = data.azurerm_subscription.current.tenant_id
# }

module "cert_mounter" {
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter?ref=v8.17.1"
namespace = var.domain
certificate_name = replace(local.domain_aks_hostname, ".", "-")
kv_name = data.azurerm_key_vault.kv_domain.name
tenant_id = data.azurerm_subscription.current.tenant_id
source = "git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter?ref=v8.38.0"
namespace = var.domain
certificate_name = replace(local.domain_aks_hostname, ".", "-")
kv_name = data.azurerm_key_vault.kv_domain.name
tenant_id = data.azurerm_subscription.current.tenant_id
workload_identity_enabled = true
workload_identity_service_account_name = module.workload_identity.workload_identity_service_account_name
workload_identity_client_id = module.workload_identity.workload_identity_client_id
}
4 changes: 2 additions & 2 deletions src/domains/testit-app/99_main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version = "<= 3.105.0"
version = "<= 3.115.0"
}
azuread = {
source = "hashicorp/azuread"
Expand All @@ -14,7 +14,7 @@ terraform {
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "<= 2.27.0"
version = "<= 2.35.0"
}
helm = {
source = "hashicorp/helm"
Expand Down
9 changes: 5 additions & 4 deletions src/domains/testit-app/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,20 +5,21 @@
| Name | Version |
|------|---------|
| <a name="requirement_azuread"></a> [azuread](#requirement\_azuread) | <= 2.47.0 |
| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | <= 3.105.0 |
| <a name="requirement_azurerm"></a> [azurerm](#requirement\_azurerm) | <= 3.115.0 |
| <a name="requirement_helm"></a> [helm](#requirement\_helm) | <= 2.12.1 |
| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | <= 2.27.0 |
| <a name="requirement_kubernetes"></a> [kubernetes](#requirement\_kubernetes) | <= 2.35.0 |
| <a name="requirement_local"></a> [local](#requirement\_local) | <= 2.5.1 |
| <a name="requirement_null"></a> [null](#requirement\_null) | <= 3.2.1 |

## Modules

| Name | Source | Version |
|------|--------|---------|
| <a name="module_cert_mounter"></a> [cert\_mounter](#module\_cert\_mounter) | git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter | v8.17.1 |
| <a name="module_cert_mounter"></a> [cert\_mounter](#module\_cert\_mounter) | git::https://github.com/pagopa/terraform-azurerm-v3.git//cert_mounter | v8.38.0 |
| <a name="module_domain_pod_identity"></a> [domain\_pod\_identity](#module\_domain\_pod\_identity) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_pod_identity | v8.17.1 |
| <a name="module_system_service_account"></a> [system\_service\_account](#module\_system\_service\_account) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_service_account | v8.17.1 |
| <a name="module_tls_checker"></a> [tls\_checker](#module\_tls\_checker) | git::https://github.com/pagopa/terraform-azurerm-v3.git//tls_checker | v8.18.0 |
| <a name="module_tls_checker"></a> [tls\_checker](#module\_tls\_checker) | git::https://github.com/pagopa/terraform-azurerm-v3.git//tls_checker | v8.38.0 |
| <a name="module_workload_identity"></a> [workload\_identity](#module\_workload\_identity) | git::https://github.com/pagopa/terraform-azurerm-v3.git//kubernetes_workload_identity | v8.39.0 |

## Resources

Expand Down

0 comments on commit 57953d7

Please sign in to comment.